[SOLVED] Pi-hole across VLANs?
Hello, I have an Edgerouter X with some VLANs set up. I have a Pi-hole on my secure LAN, on an unRAID server. Pi-hole is working properly on that subnet. I'd like to utilize the Pi-hole across my other VLANs. I've tried many firewall configurations and cant seem to get it working properly. Right now I have the firewall setup so the Secure LAN can establish with the other VLANs but not the other way around.
Does anyone have experience utilizing Pi-hole across VLANs?
Accepted solution
Responses (29)
Correct. You should only use the pihole ip address. No public resolver's. The ideal scenario would be to have two piholes, just in case one goes south, which I have experienced.
@nu2ubiq wrote:
Correct. You should only use the pihole ip address. No public resolver's. The ideal scenario would be to have two piholes, just in case one goes south, which I have experienced.
I was just reading the Pi-hole docs, and it appears the Pi-hole is a caching forwarder (or can also be configured to be a caching resolver with unbound).
So is there really an advantage of having the DNS requests go to the ER instead of putting a firewall rule in the GUEST_TO_LAN ruleset to allow DNS request to 192.168.10.2:53 tcp_udp, and have the DHCP server hand out 192.168.10.2 as the dns server address?
Another advantage (or disadvantage if looking at it from a privacy point of view) is that the Pi-hole would know where the DNS request was coming from, which could be useful when looking for "suspicious" activity from an IoT device. When the ER is forwardign to the Pi-hole, my guess is that the Pi-hole would see the request coming from the ER, so the response would be sent back to the ER so it could update its cache, but that implies that all requests would be aggregated into request from the ER, without the abilitiy for the Pi-hole to determine what the original requester was.
I am also wondering how well the Pi-hole will be able to work with DoH (DNS over HTTPS), which it seems will bypass the Pi-hole, or is there some way to block that and force the browser to make the request to the Pi-hole?
Hey @BuckeyeNet ,
I know it's filtering because 1- I tested many websites on the 192.168.10.0/24 network and no ads will show up on desktop, phones, etc.😊 (It's pretty great) And 2- it does show a pretty neat dashboard with stats. Here is what mine looks like now:
I have removed 8.8.8.8 from the Edgrouter's config for the 192.168.10.0/24 network. Only points to the Pi-Hole now: 192.168.10.2. So it's working on the 192.168.10.0/24 network. it shows this when i do an ipconfig/all on Windows 10:
DNS Servers . . . . . . . . . . . : 192.168.10.2
Ok. Good news. I got it working. 🤘 😊 🤘
I had to move the "allow PiHole DNS" rule to the top of the ruleset. OMG. What a relief. I tested on the phone and NO ADS!
I created a rule called in the Ruleset GUEST_TO_LAN called "allow PiHole DNS":
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="831" height="230"><rect fill-opacity="0"/></svg>)
I'm allowing traffic Both TCP and UDP:
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="489" height="469"><rect fill-opacity="0"/></svg>)
I'm NOT checking "Established" and "Related":
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="487" height="505"><rect fill-opacity="0"/></svg>)
In the "Destination" tab I'm listing the Pi-Hole's IP address and Port 53:
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="488" height="282"><rect fill-opacity="0"/></svg>)
And I can now list ONLY the Pi-Hole's IP address as the DNS server for VLAN20:
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="828" height="466"><rect fill-opacity="0"/></svg>)
I just connected my Windows 10 desktop and ran a ipconfig/all and i get this:
DNS Servers . . . . . . . . . . . : 192.168.10.2
Success! This was probably pretty simple for most of you but it sure had me stumped.
Ok that makes sense, I didn't notice that for the 192.168.10.0/24 dhcp server you had a different default-router than dns-server.
shared-network-name LAN {
authoritative enable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.2
lease 86400
start 192.168.10.2 {
stop 192.168.10.243
}
static-mapping Switch8 {
ip-address 192.168.10.57
mac-address XXXX
}
}
}
I you add something like
rule 20 {
action accept
description allow_dns_to_pi_hole
destination {
address 192.168.10.2
port 53
}
log disable
protocol tcp_udp
state {
established enable
new enable
related enable
}
}
to the GUEST_TO_LAN rule - you should be able paste the following CLI commands:
configure set firewall name GUEST_TO_LAN rule 20 action accept set firewall name GUEST_TO_LAN rule 20 description allow_dns_to_pi_hole set firewall name GUEST_TO_LAN rule 20 destination address 192.168.10.2 set firewall name GUEST_TO_LAN rule 20 destination port 53 set firewall name GUEST_TO_LAN rule 20 log disable set firewall name GUEST_TO_LAN rule 20 protocol tcp_udp set firewall name GUEST_TO_LAN rule 20 state established enable set firewall name GUEST_TO_LAN rule 20 state new enable set firewall name GUEST_TO_LAN rule 20 state related enable commit
Then change the dhcp server for your guest network to use the 192.168.10.2 like it is in the LAN
Then from a PC in the guest network, do a dhcp release and renew to get a new lease, and verify that the DNS is 192.168.10.2 with ipconfig/all and then verify that you can browse the internet. If that works then change for IoT and make sure your configuration is saved. And make a backup too.
I didn't notice your latest post before I posted. Oh well, glad you got it working.
You have learned a lot more than you would have if you let someone else fix it.
Do you mind uploading your fixed sanitized config, just so future readers can see what changed to allow it to work?
@BuckeyeNet wrote:
Do you mind uploading your fixed sanitized config, just so future readers can see what changed to allow it to work?
Sure. I had a moment of clarity tonight: I remembered i already had a rule to allow DNS from all the VLANS and noticed it was at the top of the GUEST_TO_LOCAL Ruleset so I just copied that and added the Pi-Hole's IP in the Destination tab and voila. Thanks for all your help.
firewall {
all-ping enable
broadcast-ping disable
group {
network-group RFC1918 {
description ""
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name GUEST_TO_LAN {
default-action accept
description "Guest & IoT"
rule 10 {
action accept
description "allow PiHole DNS"
destination {
address 192.168.10.2
port 53
}
log disable
protocol tcp_udp
}
rule 20 {
action accept
description Established
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action drop
description "Network Group"
destination {
group {
network-group RFC1918
}
}
log disable
protocol all
}
}
name GUEST_TO_LOCAL {
default-action drop
description "Guest & IOT"
rule 10 {
action accept
description DNS
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 30 {
action accept
description DHCP
destination {
port 67
}
log disable
protocol udp
}
rule 40 {
action accept
description Established
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
}
name WAN_IN {
default-action accept
description ""
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
rule 21 {
action drop
description BLOCK_SSH
destination {
address 192.168.40.0/24
port 22
}
log disable
protocol tcp
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
name WAN_OUT {
default-action accept
description ""
rule 1 {
action drop
description "BLOCK HTTP"
destination {
port 80
}
log disable
protocol tcp
source {
address 192.168.40.0/24
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 2 {
action drop
description "BLOCK HTTPS"
destination {
port 443
}
log disable
protocol tcp
source {
address 192.168.40.0/24
}
state {
established enable
invalid enable
new enable
related enable
}
}
rule 3 {
action drop
description "Block SSH"
destination {
port 22
}
log disable
protocol tcp
source {
address 192.168.40.0/24
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
out {
name WAN_OUT
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
address 192.168.25.1/24
description "Emergency Access"
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
description Local
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 10
}
}
interface eth2 {
vlan {
pvid 40
}
}
interface eth4 {
vlan {
pvid 10
vid 20
vid 30
}
}
vlan-aware enable
}
vif 10 {
address 192.168.10.1/24
description LAN
}
vif 20 {
address 192.168.20.1/24
description VLAN20
firewall {
in {
name GUEST_TO_LAN
}
local {
name GUEST_TO_LOCAL
}
}
}
vif 30 {
address 192.168.30.1/24
description VLAN30
firewall {
in {
name GUEST_TO_LAN
}
local {
name GUEST_TO_LOCAL
}
}
}
vif 40 {
address 192.168.40.1/24
description IPMI
firewall {
in {
name GUEST_TO_LAN
}
local {
name GUEST_TO_LOCAL
}
out {
}
}
mtu 1500
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Emergency_Access {
authoritative disable
subnet 192.168.25.0/24 {
default-router 192.168.25.1
dns-server 192.168.25.1
dns-server 8.8.8.8
lease 86400
start 192.168.25.5 {
stop 192.168.25.10
}
}
}
shared-network-name LAN {
authoritative enable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.2
lease 86400
start 192.168.10.2 {
stop 192.168.10.243
}
static-mapping Switch8 {
ip-address 192.168.10.57
mac-address xx:xx:xx:xx:xx:xx
}
}
}
shared-network-name VLAN20 {
authoritative disable
subnet 192.168.20.0/24 {
default-router 192.168.20.1
dns-server 192.168.10.2
lease 86400
start 192.168.20.5 {
stop 192.168.20.99
}
}
}
shared-network-name VLAN30 {
authoritative disable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 192.168.30.1
lease 86400
start 192.168.30.5 {
stop 192.168.30.99
}
}
}
shared-network-name VLAN40 {
authoritative disable
subnet 192.168.40.0/24 {
default-router 192.168.40.1
dns-server 192.168.40.1
dns-server 8.8.8.8
lease 86400
start 192.168.40.2 {
stop 192.168.40.20
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth3
listen-on switch0.10
listen-on eth4
listen-on switch0.20
listen-on switch0.30
listen-on switch0.40
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description DNS
destination {
port 53
}
disable
inbound-interface switch0
inside-address {
address 192.168.10.2
port 53
}
log disable
protocol tcp_udp
source {
address !192.168.10.2
}
type destination
}
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
host-name ubnt
login {
user xxx {
authentication {
encrypted-password *X
plaintext-password *X
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone X
traffic-analysis {
dpi enable
export enable
I think the important ordering is that the allow DNS rule needs to come before the drop to RFC1918 addresses. I think it would be more efficient to put your allow established/related rule above the DNS rule, because it is going to be hit more frequently than the DNS rule.
Ok. Good news. I got it working. 🤘 😊 🤘
I had to move the "allow PiHole DNS" rule to the top of the ruleset. OMG. What a relief. I tested on the phone and NO ADS!
I created a rule called in the Ruleset GUEST_TO_LAN called "allow PiHole DNS":
I'm allowing traffic Both TCP and UDP:
I'm NOT checking "Established" and "Related":
In the "Destination" tab I'm listing the Pi-Hole's IP address and Port 53:
And I can now list ONLY the Pi-Hole's IP address as the DNS server for VLAN20:
I just connected my Windows 10 desktop and ran a
ipconfig/alland i get this:DNS Servers . . . . . . . . . . . : 192.168.10.2Success! This was probably pretty simple for most of you but it sure had me stumped.